How do you square privacy with a request from a law enforcement officer supported by a regulation paperwork?

The way it's supposed to work in the US is that the police go to a judge with their argument for why an individual's privacy needs to be invaded, and the judge decides whether the argument presented is legally valid and compelling enough to grant a limited warrant. The general idea is that the state's use of power should be very limited to minimize violating its citizens' rights. The government rooting through your private correspondence should be the exception, not the norm.

Quote:

Originally Posted by Terry

If you use gmail or facebook then you have no privacy.

Google and Facebook have gotten their fair share of criticism, and at least with gmail and Facebook, you have a choice whether to use them or not. You don't have a choice when the government decides it wants to go looking through your email.

Quote:

As I pointed out the only access your data if a crime has been committed.

In a perfect world perhaps. In the real world, laws can have unintended consequences, people will make mistakes, and unscrupulous types will abuse power to punish their perceived enemies. It's generally wiser to take a cautious approach, granting limited powers to the state, than authorizing broad powers with a "I don't care because I don't have anything to hide" attitude.

It is depressing to see the tired old "I have nothing to hide" argument crop up again. There are so many good counter-arguments and illustrative and persuasive examples that it should hardly be necessary to trot them out again, but at every new blow against even the principle of basic privacy, someone is sure to pipe up and say "Why should I worry? Nobody who has nothing to hide should worry about this."

My usual tack with such thoughtless declarations is to ask people if they talk differently to family members or close friends when they know they will be overheard, as in a lift (elevator) or small restaurant, as opposed to how they would speak to the same people when alone and unheard by others. Most people would say yes, of course they do.

If you knew that all of your email was presumptively available to strangers to read, to your boss or to the govenment, wouldn't you write some things differently and omit writing other things completely, even if they were reasonably innocent and not obviously "something to hide"? Of course, unfortunately, as a practical matter that is technically already the case, considering the ubiquity of hackers, your ISP's abilities, the inexorably feckless Facebook's latest outrage, and government surveillance capabilities. Some measure of vulnerability must be assumed, but unless you are specifically targeted for some reason, it is unlikely that your messages will be read. They might be scanned by a computer for commercial purposes, but while that is certainly not desirable, neither does it conjure up memories of East Germany and the Stasi the way the Australian law does.

Just because your body lacks overtly hideous blemishes or other deficiencies that trouble or embarrass you and make you feel like the Elephant Man, would you strip naked and submit to being seen by strangers who have no clear need or entitlement to see you in that state? Unless we were clinical exhibitionists, most of us would not, even if we thought fairly well of our naked selves.

Here's a summary by the people at DuckDuckGo that summarizes the situation fairly well:

_________________________________________________________
Three Reasons Why the "Nothing to Hide" Argument is Flawed
FILED UNDER OPINION ON 27 JUN 2018
Over the years, we at DuckDuckGo have often heard a flawed counter-argument to online privacy: “Why should I care? I have nothing to hide.”
As Internet privacy has become more mainstream, this argument is rightfully fading away. However, it’s still floating around and so we wanted to take a moment to explain three key reasons why it's flawed.
1) Privacy isn’t about hiding information; privacy is about protecting information, and surely you have information that you’d like to protect.
Do you close the door when you go to the bathroom? Would you give your bank account information to anyone? Do you want all your search and browsing history made public? Of course not.

Simply put, everyone wants to keep certain things private and you can easily illustrate that by asking people to let you make all their emails, texts, searches, financial information, medical information, etc. public. Very few people will say yes.

2) Privacy is a fundamental right and you don't need to prove the necessity of fundamental rights to anyone.

You should have the right to free speech even if you feel you have nothing important to say right now. You should have the right to assemble even if you feel you have nothing to protest right now. These should be fundamental rights just like the right to privacy.

And for good reason. Think of commonplace scenarios in which privacy is crucial and desirable like intimate conversations, medical procedures, and voting. We change our behavior when we're being watched, which is made obvious when voting; hence, an argument can be made that privacy in voting underpins democracy.

3) Lack of privacy creates significant harms that everyone wants to avoid.
You need privacy to avoid unfortunately common threats like identity theft, manipulation through ads, discrimination based on your personal information, harassment, the filter bubble, and many other real harms that arise from invasions of privacy.

In addition, what many people don’t realize is that several small pieces of your personal data can be put together to reveal much more about you than you would think is possible. For example, an analysis conducted by MIT researchers found that “just four fairly vague pieces of information — the dates and locations of four purchases — are enough to identify 90 percent of the people in a data set recording three months of credit-card transactions by 1.1 million users.”

It’s critical to remember that privacy isn't just about protecting a single and seemingly insignificant piece of personal data, which is often what people think about when they say, “I have nothing to hide.” For example, some may say they don't mind if a company knows their email address while others might say they don't care if a company knows where they shop online.

However, these small pieces of personal data are increasingly aggregated by advertising platforms like Google and Facebook to form a more complete picture of who you are, what you do, where you go, and with whom you spend time. And those large data profiles can then lead much more easily to significant privacy harms. If that feels creepy, it’s because it is.

We can't stress enough that your privacy shouldn’t be taken for granted. The ‘I have nothing to hide’ response does just that, implying that government and corporate surveillance should be acceptable as the default.

Privacy should be the default.
__________________________________________

Right on. Thank you, communicant.

The arguments in favor of invasive laws such those passed in Australia completely miss the point, and it's honestly exhausting to have to explain over and over again the fundamental principles of privacy and freedom of speech. Such laws harm the average, innocent user far more than they help, and they enable the potential for incredible abuse. The unintended (and often unpredictable) consequences are far more troubling than the so-called benefits, and unfortunately, we are witnessing the creation of precedent and infrastructure that will have enormous potential for negative impact on society.

I also think this is a generational issue to some degree, and these idiotic laws are buoyed up by lousy reasoning and apathy, plus the younger generation is clueless as to what can happen when such power is truly abused. And those "bad actors" who are supposed to be targeted by the new laws can quickly adapt and find ways to circumvent them, thus encouraging even more invasive laws. It is a giant unfolding tragedy that will cause immense problems in the future.

One of the worst and most predictable outcomes of these kinds of laws, is that infrastructure to comply with such regulations will be increasingly forced on services we rely upon every day for personal, private communications, eroding the security of a number of our services. This will creep slowly but surely across the Five Eyes countries, and even if one or more of them don't duplicate the regulations, their global application platforms will duplicate the vulnerabilities. It is very sad to see such stupidity continue to reign in government mandates, and the consequences will be felt far and wide, well beyond Australia.

I for one am now reconsidering my usage of FastMail. I'm not satisfied by FM's response, and definitely not satisfied by the justifications and protections related to the current law. Not to mention the ineptitude of the people running any oversight of such powerful invasive regulations, and where they might go next.

At the minimum, I feel I will have to look to change my habits and usage of email and related tools. Like I mentioned, I feel like we're fighting a losing battle, and certain fundamental rights will continue to be eroded. For me, anything sensitive or personal will most likely not flow through Fastmail anymore, for example... not sure if that means I cancel my accounts, or if I reduce/change usage patterns over time. We'll see.

...For me, anything sensitive or personal will most likely not flow through Fastmail anymore, for example... not sure if that means I cancel my accounts, or if I reduce/change usage patterns over time. We'll see.

What are your/peoples thoughts on the current best alternative email providers given the implication of these changes in Australian law?

What are your/peoples thoughts on the current best alternative email providers given the implication of these changes in Australian law?

As a person living in the US who cares very deeply about privacy and freedom of speech as fundamental human rights, I am not in a great position for getting the kind of service I really want. It wasn't that long ago that even in the US, McCarthyism took over like wildfire and plenty of people with power would have LOVED laws like what was just passed in Australia. Can you imagine that today? Oh, but wait a second... living in the post-911 and post-Snowden era, especially with the political climate we have now, we're literally only a McCarthy away from another national witch hunt. We really are an example to the world -- really brilliant over here in the US, aren't we? We've set ourselves up quite nicely for another national tragedy and continue to refuse to learn the lessons of even recent history. Just look at the social media manipulations of election politics alone. (i.e. look at the Cambridge-Analytica scandal.) Why do we not learn?

I think there are just a handful of approaches to privacy in this situation, and I'm not sure which one I'll apply to FastMail in light of the new law (and the apparent/potential direction of the laws), and also FastMail's inadequate (IMO) response. Maybe if we're lucky, they'll reverse course... but I don't see solid evidence of that. I see this law as a little gateway experiment in a way by the Five Eyes countries to see how far they can push things. And I certainly don't see enough outrage in Australia to reverse course. Welcome to the new normal IMO. Folks, it's a very slippery slope...

So here are the approaches I'm considering:

1) Privacy by anonymity -- I may just pull FastMail's email back to mega US providers that allow somewhat of a semblance of privacy due to their massive size. There's something to be said about getting lost in the noise, I hate to say. I have heavily used various paid business email accounts at Microsoft and Google (enterprise Office 365 and paid G Suite accounts), so I might just fold my FastMail email into one of those services with another paid account. US corporate liability standards and better EULAs/SLAs add another layer of accountability to those services, which IMO provides a slight improvement in terms of protection.

2) Privacy by US-based security-oriented service with extra hoops to jump through -- I may sign up for Luxsci again, which although very small, they have a decent security focus, and they have HIPAA compliant services, which is one more hoop anyone has to jump through... which is a slight improvement in terms of protection. Plus they have vastly superior customer support compared to FastMail. Downside they are more expensive.

3) Privacy by jurisdiction -- I might move more mail over to services located in jurisdictions that have far superior laws. Right now I already have an account at Runbox, which has a better jurisdiction than FastMail by far, and I've also been looking at ProtonMail as an option, and a while ago I was looking at what is now called Kolab Now. The problem with these kinds of providers is that by default their servers are associated with the perception that their services are for people who specifically seek privacy, and that carries its own marker TBH. You're basically advertising that you want privacy when you use those services. Runbox to a lesser extend BTW, since it existed prior to the whole privacy mess we live in now. My main problem with Runbox, though, is that I can never escape the feeling that they are going to disappear on me... or get crushed by some attack or philosophical change in the legal winds that blow in Norway, although they keep hanging in there. Who knows? Runbox is the little provider that keeps going and going... and the folks there are really nice, and I like what they are trying to do.

4) Privacy by changing usage patterns -- I might just stick with FastMail and simply change my email patterns and only run less personal stuff through it. After all, if you remove all the jurisdiction and Five Eyes issues, FastMail is actually a very good service -- good interface, good features, good uptime... It will be hard to say goodbye to FastMail entirely. I just don't consider it in the category of privacy-oriented services at this point... it was always borderline before, but now I have to demote it a notch.

5) Privacy by spreading it around -- so the last approach I'm personally willing to take, which is more or less the way I've been doing it -- is by spreading things around to a bunch of providers. It's a hassle of course, but it creates little firewalls between pieces of my content.

6) Privacy by self-managed encryption -- of course I have to mention there is the hard-core encryption approach, and this would obviously solve many of the issues. However, once again, you are advertising that you want privacy, but more significantly, you are introducing a whole new layer of hassle. I have yet to find a service or workflow that didn't get in the way of basic smooth communication, and I've never been able to make it work for normal life. Alas, I have had to admit to myself that I actually need to find a balance that includes simplicity and convenience to some degree too. And so this approach is not really going to work for me until someone comes up with a really great way to do it. And honestly, at that point, you are only as safe as your weakest link... but that's a different discussion.

So I'm still not sure what I will do, and I don't mean to sound pessimistic... but well, I am now pessimistic when it comes to these issues and FastMail.

One further approach, very tricky these days for most people, is to host your own mail server. Security and spam issues may make this time consuming.

Very true. Its not for the faint of heart of course! I tried it a long time ago, and I remember looking at the server's firewall and email logs one morning because the server was kind of laggy, and it scared the living daylights out of me. The server was under intense bombardment and hacking attempts, and it wasn't just that morning... it had been going on for a while. Miraculously, I never got hacked (that I know of), but it sure stressed me out. The IP addresses were from all over the world... I was pretty amazed. The most intense attempts I believe were from Russia and China... and I figured whoever was trying to take over the server knew a lot more about security than I did, and it would only be a matter of time before I was toast. So I subsequently decided to outsource my email. :-)

It definitely is a viable option though... there is good documentation out there (including in this forum!) on how to set up and secure an email server, and with careful security/patch maintenance and monitoring at a really good hosting provider, it could work. I very much respect any brave soul who ventures into email hosting...

Love the sense of humor. Appalled by the situation. What kind of idiocy led to this state we're in? Like I mentioned in a previous post, I see this law as a little gateway experiment in a way by the Five Eyes countries to see how far they can push things.

But the F/m servers are in the US along with all the data so are they governed by Australia law or US Law?

Does it matter at this point? And it depends on what aspect you're talking about. There are probably some subtle nuances as to which legal instrument the US or Australian government might use to access the physical servers, the NYI datacenters where they are located, the business entity of FM itself, the end users, the data itself, any data that flows internationally, etc., etc... if anything, this law just opened a Pandora's box of possibilities that the law enforcement and intelligence agencies are probably drooling over.

The more I learn about it, the more I realize this new Australian law is so terrible and insanely stupid I can't even believe the parliament voted for it. I don't see any real, meaningful oversight mechanism... at least in the US we have judicial oversight (and yes, we even have a lovely secretive FISA court, but it's still a court, right?!?!)... the Aussies just blew right past that and set a new low.... what in the world just happened? And did you read about the whistleblower provisions? It's positively draconian. The language is so vague and subject to interpretation... and tramples so thoroughly on due process, I don't see how any company that values their data ANYWHERE will ever trust an Australian IT company at this point... and any big international service that operates in Australia is going to have to deal with this one way or another. What a mess. Even on a business level, the Australian government just lobbed a giant bomb at their own IT industry.

In fact, the more I think about it, the more I'm certain I'll be migrating away from FastMail, unless Australia comes to her senses.

If I were involved with FastMail, I'd be signing on to any huge lawsuit right now against this law... oh, but wait, Australia doesn't have an actual Bill of Rights... so I guess the legal battle will be that much more difficult...

Or, I'd be packing up my bags and moving FastMail to a better jurisdiction.

Or, I'd be packing up my bags and moving FastMail to a better jurisdiction.

Right. But in addition, don't have Aussie customers, otherwise the new legislation kicks in again. Revenue-wise, probably not an issue to exclude that market.

Effectively, the way I see it, any Company/App that provides services to an Australian is impacted by these laws.
Or will there be an App for Australians (with the backdoor facility) and another version for everyone else?

What are your/peoples thoughts on the current best alternative email providers given the implication of these changes in Australian law?

Quote:

Originally Posted by ioneja

3) Privacy by jurisdiction -- I might move more mail over to services located in jurisdictions that have far superior laws. Right now I already have an account at Runbox, which has a better jurisdiction than FastMail by far, and I've also been looking at ProtonMail as an option, and a while ago I was looking at what is now called Kolab Now. The problem with these kinds of providers is that by default their servers are associated with the perception that their services are for people who specifically seek privacy, and that carries its own marker TBH. You're basically advertising that you want privacy when you use those services. Runbox to a lesser extend BTW, since it existed prior to the whole privacy mess we live in now. My main problem with Runbox, though, is that I can never escape the feeling that they are going to disappear on me... or get crushed by some attack or philosophical change in the legal winds that blow in Norway, although they keep hanging in there. Who knows? Runbox is the little provider that keeps going and going... and the folks there are really nice, and I like what they are trying to do.

Good post! With my good intentions for 2019 regarding security, privacy and sustainability, I opened a few days ago an account at Runbox. Qua web interfacing, etc. they are far behind FastMail, but they have proven themselves enough over the years to trust them. [Nostalgia /on] And frankly they remind me the most of the earlier years of FM when they were not that big yet [Nostalgia /off].

... I opened a few days ago an account at Runbox. Qua web interfacing, etc. they are far behind FastMail, but they have proven themselves enough over the years to trust them.

I agree they have proven themselves and personally they have earned my trust. But I just always wonder if the sky will fall on them. I don't know why I feel that way... maybe because they seem very SLOW at implementing new features, and I feel like they are constantly on the verge of becoming obsolete... only to surprise me with a great implementation of some important feature... like 2FA, with which they were late to the game, but it works great and is actually pretty deep... and you can check out their new webmail beta, which is starting to come together nicely, after what seems like forever. So I guess I shouldn't be skeptical or nervous about them... they have survived when many other providers have bitten the dust and they keep marching along like an old Energizer Bunny commercial.

BTW, Runbox customer service is excellent, very personal, very competent. Not quite to the level of Luxsci (which is the gold standard IMO), but still much better than FastMail. The folks at Runbox are very nice and have a good philosophy and direction IMO, so I plan to stick with them for at least one of my accounts. Just not sure I want to move tons of email over to them yet! :-)

And don't get me wrong, FastMail is still good... minus the jurisdiction issues... After the Opera adventure, they really settled into a decent groove. I just don't think I can stomach dealing with this whole Australia insanity and Five Eyes mess much more.

Quote:

Originally Posted by Berenburger

[Nostalgia /on] And frankly they remind me the most of the earlier years of FM when they were not that big yet [Nostalgia /off].

Very true. The other day I felt strangely, really good in Runbox 6, which felt like good ol' email used to feel. Usually I find it limiting but tolerable, but there was something zen-like about it. Plus it just works.

.. they have survived when many other providers have bitten the dust and they keep marching along like an old Energizer Bunny commercial.

BTW, Runbox customer service is excellent, very personal, very competent..

I think these two facts are strongly connected with each other. When customers like and trust a company, they will overlook a lot of defects in the service. Frankly, that is why FastMail survived some years ago when reliability was a major concern, but their honesty and obvious desire to overcome the problems kept so many of us loyal.